-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS channel binding during NTLM authentication #1087
Add TLS channel binding during NTLM authentication #1087
Conversation
…ng are enforced on the DC please install cannatag/ldap3#1087 and cannatag/ldap3#1042
This works well for my use case (access to Active Directory with LdapEnforceChannelBinding set to "Always"). |
@ThePirateWhoSmellsOfSunflowers: Good job for this part! :) Hope a complete support ^^ For example, maybe you can see for:
Linked to: |
Hi @Neustradamus! Thanks for the feedback! Unfortunately, my skills are limited to python and i'm just interested in "offensive" LDAP, so i don't plan to port it on other projects. 🌻 |
@ThePirateWhoSmellsOfSunflowers: Thanks for your answer :) |
Use github.com/cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Use cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Use cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Use cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Any update on this? Requiring channel binding is quickly becoming the standard so this support would be hugely valuable. |
hi @cannatag |
Hi Augustin, I’ll do it next week.Bye,GiovanniIl giorno 6 mar 2024, alle ore 09:56, Augustin FL ***@***.***> ha scritto:
hi @cannatag
possible to merge this PR?
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Hi, I’ll work also on this next week.Bye,GiovanniIl giorno 6 mar 2024, alle ore 10:43, ThePirateWhoSmellsOfSunflowers ***@***.***> ha scritto:
Hi @cannatag!
Thanks for your message, is it possible to also take a look at #1042? Thanks
🌻
—Reply to this email directly, view it on GitHub, or unsubscribe.You are receiving this because you were mentioned.Message ID: ***@***.***>
|
@ThePirateWhoSmellsOfSunflowers, @cannatag: Good news, soon one year of this PR! |
Thanks! |
Can you check the 2.10 version in dev? I don't have access to AD so I cannot check if this PR is working as expected. Thanks, |
Is it possible to tag a new release that includes this PR? Would be nice for downstream projects (CC fortra/impacket#1657). |
For some reason I still can not connect to the active directory servers at our company after installing the latest ldap3: My code looks like this: domain['_server'] = Server('AD_DOMAIN.COMPANY.COM', port=636, use_ssl=True, get_info=ALL)
domain['_conn'] = Connection(domain['_server'], user=AD_USERNAME, password=AD_PASSWORD, channel_binding=TLS_CHANNEL_BINDING, authentication=NTLM, session_security=ENCRYPT, raise_exceptions=True)
domain['_conn'].bind() output:
I'm definitely using the new version of the library, as I can trigger the following exception:
|
Hi @BotoX! Not sure why but in your snippet you use both 🌻 |
Hey @ThePirateWhoSmellsOfSunflowers, thanks for the quick response. To be clear my connection code looks like this now: domain['_server'] = Server('AD_DOMAIN.COMPANY.COM', port=636, use_ssl=True, get_info=ALL)
domain['_conn'] = Connection(domain['_server'], user=AD_USERNAME, password=AD_PASSWORD, channel_binding=TLS_CHANNEL_BINDING, authentication=NTLM, raise_exceptions=True)
domain['_conn'].bind() and I get the exact same log output as above (except for session_security='ENCRYPT' in the Connection object). |
Mhhh hard to blind debug, sorry. Last thing, can you try something like $ openssl s_client -connect AD_DOMAIN.COMPANY.COM:636 -servername AD_DOMAIN.COMPANY.COM 2>/dev/null | openssl x509 -noout -text | grep 'Signature Algorithm' (source) According to the RFC
Maybe your certificate is not signed with MD5, SHA1 or SHA256 ? 🌻 |
You are correct:
|
Nice! ldap3/ldap3/core/connection.py Lines 1407 to 1417 in 86a9e7a
with from hashlib import sha384, md5
self.ntlm_client.tls_channel_binding = True
peer_certificate_sha384 = sha384(self.server.tls.peer_certificate).digest()
# https://datatracker.ietf.org/doc/html/rfc2744#section-3.11
channel_binding_struct = bytes()
initiator_address = b'\x00'*8
acceptor_address = b'\x00'*8
# https://datatracker.ietf.org/doc/html/rfc5929#section-4
application_data_raw = b'tls-server-end-point:' + peer_certificate_sha384 I'll submit a better PR if it works. 🌻 |
can you test this branch please ? https://github.com/ThePirateWhoSmellsOfSunflowers/ldap3/tree/fix_server_to_endpoint_hash (don't forget to add the 🌻 |
Thank you @ThePirateWhoSmellsOfSunflowers I can connect to the active directory / ldap with that branch now 👍 Had to apply this patch in order to install it on Linux though: 8eca7c8 |
Use cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Use cannatag/ldap3#1087 to add LDAP Channel Binding support to the RBCD example script.
Based on #1042, this PR adds TLS channel binding (tls-server-end-point) support. The idea is to bind the outer secure connection (TLS in our case) to application data over an inner client-authenticated channel (NTLM here). This kind of channel binding seems to be the only suported by Microsoft Active Directory during NTLM authentication.
To perform channel binding during NTLM authentication, we need to add a new AV_PAIR MS-NLMP 2.2.2.1 within the AUTHENTICATE_MESSAGE MS-NLMP 2.2.1.3. This new AV_PAIR has AvId
0x000A
(MsvAvChannelBindings). The Value field contains an MD5 hash of a gss_channel_bindings_struct. Basicaly we just have to put the sha256 of the server's certificate within this struct.This PR also fixes a bug in the method
pack_av_info()
withinNtlmClient
class.The logic for this PR is heavly inspired by "msldap", "minikerberos" and "asysocks" projects by @skelsec.
🌻